Re: namedroppers, continued

OCSP scales fine for revocation checking. We can use the same
platform that currently serves 6 billion DNS queries a day.

The fact that OCSP scales fine for revocation checking doesn't mean that
you have a system that scales fine for the *TOTAL PROCESS*. Remember - the
tough part isn't checking the list - the tough part is getting entries
*INTO* the list in a secure manner. Go back and re-read the issue at
http://www.cert.org/advisories/CA-2001-04.html and ask yourself if a CRL
would have been handled any differently. Remember - it was a *process*
failure, not a software failure.
The DNS may answer 6 billion DNS queries a day. But I can name some DNS
registrars that would take *MONTHS* to correctly transfer a domain. (The
continuing refrain for *years* on NANOG: "Has *anybody* ever gotten PGP auth to
work with these bozos?")
Also, there's the added issue that the DNS cuts down on traffic by way of
caching. Unfortunately, that's the LAST thing you want a CRL to be doing
(in particular, negative caching is an extreme no-no). You can tell the ISP's
DNS server to cache the SOA and NS entries for amazon.com. You can't tell
the ISP's OCSP server to cache the fact that there aren't any CRLs for
the SSL cert that www.amazon.com uses.
/Valdis